Koohong Kang

Research: Performance analysis of statistical multiplexing of heterogeneous discrete-time Markovian arrival processes in an ATM network

The cell loss probability and the mean cell delay are major performance metrics in analyzing a statistical multiplexer loaded with a superposition of independent and heterogeneous bursty sources. In this paper, we model each arrival process by a two-state discrete-time Markovian arrival process (D-MAP). We discuss that this traffic modeling is more realistic than the other ones in ATM networks. Then we model the superposition of r types of the two-state D-MAPs into a discrete-time batch Markovian arrival process (D-BMAP) with 2^r states. By using the steady-state analysis of the D-BMAP/D/1/K queueing model, we obtain the exact cell loss probabilities and the mean cell delays for each type of traffic in the statistical multiplexer. In particular, we derive the formulas concerned with these performance metrics under two buffer access strategies of the simultaneous cell arrivals at the same slot: (1) fair access, and (2) priority access. From some numerical examples, we show that the performance of each traffic at the statistical multiplexer may be severely affected by its own traffic characteristics and priority of buffer access, as well as the traffic characteristics of the others.

A practical approach for detecting executable codes in network traffic

The research on the detection of zero-day network attack and the signature generation is highlighted as an issue according to the outbreak of the new network attack is faster than a prediction. In this paper, we propose a very practical method that detects the executable codes within the network packet payload. It could be used as the key function of the signature generation against the zero-day attack or the high speed anomaly detection. The proposed heuristic method in this paper could be expressed in terms of visually classifying the characteristic of the instruction pattern of executable codes. And then we generalize this by applying the discrete parameter Markov chain. Our experimental study showed that the presented scheme could find all types of executable codes in our experiments.

A CAC scheme for heterogeneous traffic in ATM networks to support multiple QoS requirements

We propose a connection admission control (CAC) scheme which supports multiple quality of service (QoS) requirements. Our scheme is based on the approach which determines the virtual bandwidth for each class of traffic and decomposes the system into multiple sub-queueing systems, one for each class. The steady-state analysis of the MMPP/CD/1/K queue gives the exact cell loss probability of each sub-queueing system and estimates more accurately the number of connections to accommodate each of them. Moreover, in order to improve the bandwidth utilization of the segregated sub-queueing systems, we take into account the sharable state among them. The concept of sharable state enables one to increase the number of admitted calls without deteriorating the system performance. Our approach is computable in real time. Finally, we verify the analytic results with simulation.

Performance Anomaly of the IEEE 802.11 DCF in Different Frame Error Rate Conditions

We propose an analytic model to compute the station`s saturated throughput and packet delay performance of the IEEE 802.11 DCF (Distributed Coordination Function) in which frame transmission error rates in the channel are different from each other. Our analytic model shows that a station experiencing worse frame error rates than the others suffers severe performance degradation below its deserved throughput and delay performance. 802.11 DCF adopts an exponential back-off scheme. When some stations suffer from high frame error rates, their back-off stages should be increased so that others get the benefit from the smaller collision probabilities. This impact is then recursively applied to degrade the performance of the victim stations. In particular, we show that the performance is considerably degraded even if the frame error rate of the victim station satisfies the receiver input level sensitivity that has been specified in the IEEE 802.11 standard. We also verify the analytic results by the OPNET simulations.

Executable Code Recognition in Network Flows Using Instruction Transition Probabilities

The ability to recognize quickly inside network flows to be executable is prerequisite for malware detection. For this purpose, we introduce an instruction transition probability matrix (ITPX) which is comprised of the IA-32 instruction sets and reveals the characteristics of executable codes instruction transition patterns. And then, we propose a simple algorithm to detect executable code inside network flows using a reference ITPX which is learned from the known Windows Portable Executable files. We have tested the algorithm with more than thousands of executable and non-executable codes. The results show that it is very promising enough to use in real world.

Practical network attack situation analysis using sliding window cache scheme

With the growing deployment of intrusion detection systems, managing reports from these systems become critically important. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and to take appropriate actions. Even if isolated events are not considered significant, the set of events may be critical. The alert correlation analysis is related to examine meaningful relationships between alert messages. The situation analysis is a branch of the alert correlation analysis. It is to observe attack activities by aggregating alerts that have certain characteristics in common. In this paper, we present an effective and practical situation analysis scheme that provides realtime analysis capability.

Bound analysis for WRR scheduling in a statistical multiplexer with bursty sources

Among various cell scheduling schemes for ATM networks, weighted round‐robin (WRR) seems a promising algorithm for explicit bandwidth allocation [15]. In this paper, we present a method for analyzing a discrete‐time queueing model of a statistical multiplexer with contiguous slot assignments, deterministic vacations, and bursty input sources, which serves as a bound analysis for WRR scheduling in ATM networks. Similar models have been studied as well in the context of TDMA (time division multiple access) schemes with multiple contiguous slots assigned per frame [3,16]. For the model under study, after establishing an expression for the probability generating function (pgf) of the system contents, we derive closed‐form expressions for performance measures such as the expected value, and an asymptotic approximation for the tail probabilities of the system contents distribution. Also, after examining the cell delay, we formulate the pgf of the cell delay in a closed form in terms of the system contents pgf. The numerical results obtained for the system contents and cell delay distributions illustrate that they match with simulation results extremely well, especially in the low probability area. We also discuss the impact of the slot assignment cycle of WRR on the system performance.

Baseline traffic modeling for anomalous traffic detection on network transit points

Remarkable concerns have been made in recent years towards detecting the network traffic anomalies in order to protect our networks from the persistent threats of DDos and unknown attacks. As a preprocess for many state-of-the-art attack detection technologies, baseline traffic modeling is a prerequisite step to discriminate anomalous flow from normal traffic. In this paper, we analyze the traffic from various network transit points on ISP backbone network and present a baseline traffic model using simple linear regression for the imported NetFlow data; bits per second and flows per second. Our preliminary explorations indicate that the proposed modeling is very effective to recognize anomalous traffic on the real networks.

Protective Mechanism for Sensitive Data using Lightweight Process Tracking

As the usage of computers and mobile handsets is popularized, the processing and storing of private and business data are increased. Hence we note that these sensitive data should never be transferred out of these personal devices without user`s permission. In this paper, we propose a simple method to prevent transferring the sensitive data out of personal computing devices through their networking interfaces. The proposed method determines which processes invoke open system call related to the sensitive data, and then traces them within a specific duration. The proposed scheme has advantage over the existing ones using authentication or encryption because it could be still working well independent upon the new attack technologies or the latest vulnerabilities of hardware and software. In order to verify the proposed algorithm, we test it by implementing the necessary codes at the user and kernel spaces of Linux.

Anomaly Detection of Hostile Traffic Based on Network Traffic Distributions

Protecting network systems against novel attacks is a pressing problem. In this paper, we propose a new anomaly detection method based on inbound network traffic distributions. For this purpose, we first present the diverse distributions of TCP/IP protocol header fields at the border router of a real campus network, and then characterize the distributions when well-known denial-of-service (DoS) attacks are present. We show that the distributions give promising baselines for detecting network traffic anomalies. Moreover we introduce the concept of entropy to transform the obtained distribution into a metric of declaring anomaly. Our preliminary explorations indicate that the proposed method is effective at detecting several DoS attacks on the real network.